Skip to content

[aws] Update AWS ALB Grok patterns to parse logs with conn_trace_id field and malformed requests missing HTTP versions #16755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
devamanv merged 4 commits into from
Jan 11, 2026
Merged

[aws] Update AWS ALB Grok patterns to parse logs with conn_trace_id field and malformed requests missing HTTP versions #16755

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d215f96
Update ELB Grok pattern to support latest format
devamanv Jan 4, 2026
ebde45f
Update PR link in the changelog file
devamanv Jan 5, 2026
3ff2ee3
Update the Changelog description per the exact change
devamanv Jan 9, 2026
beee649
Resolve merge conflicts in manifest and changelog
devamanv Jan 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/aws/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "5.6.0"
changes:
- description: Update Grok pattern to support the latest ELB HTTP log format.
type: enhancement
link: https://github.com/elastic/integrations/pull/16713
- version: "5.5.0"
changes:
- description: Add dashboards for AWS Web Application Firewall data stream.
Expand Down
3 changes: 2 additions & 1 deletion packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@ tls 2.0 2024-10-25T17:33:59 net/k8s-xxxx-xxx-xxxxxxxx/53192f3a0 46712e747de 192.
tls 2.0 2024-10-25T17:33:59 net/XXXXX-XXXX-XXX-us-east-2/c88927aafc9abafe 52878890095341b5 192.168.131.39:2817 10.0.0.1:80 0 - 0 0 - - - - - - - - - - 2024-10-25T17:33:59
2024-10-04T17:05:15.514108Z 192.168.131.39 36280 443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 4.036 "CN=amazondomains.com,O=endEntity,L=Seattle,ST=Washington,C=US" NotBefore=2023-09-21T22:43:21Z;NotAfter=2026-06-17T22:43:21Z FEF257372D5C14D4 Success
2024-10-04T17:05:15.514108Z 192.168.131.39 36280 443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 - "CN=amazondomains.com,O=endEntity,L=Seattle,ST=Washington,C=US" NotBefore=2023-09-21T22:43:21Z;NotAfter=2026-06-17T22:43:21Z FEF257372D5C14D4 Failed:ClientCertUntrusted
2024-11-29T13:45:24.599544Z 172.31.43.26 58206 80 - - - "-" - - - TID_16132ed0b4112148
2024-11-29T13:45:24.599544Z 172.31.43.26 58206 80 - - - "-" - - - TID_16132ed0b4112148
http 2025-05-01T11:24:32.748149Z app/internal-service-alb/abcd1234efgh5678 127.0.0.1:57273 - -1 -1 -1 200 - 0 272 "- http://internal-service-alb.example.com:80-/ " "-" - - - "-" "-" "-" - 2025-05-01T11:24:32.720000Z "-" "-" "-" "-" "-" "-" "-" TID_00000000000000000000000000000000
52 changes: 52 additions & 0 deletions packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -534,6 +534,58 @@
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2025-05-01T11:24:32.748Z",
"aws": {
"elb": {
"name": "app/internal-service-alb/abcd1234efgh5678",
"protocol": "http"
}
},
"cloud": {
"provider": "aws"
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"web"
],
"end": "2025-05-01T11:24:32.748Z",
"kind": "event",
"original": "http 2025-05-01T11:24:32.748149Z app/internal-service-alb/abcd1234efgh5678 127.0.0.1:57273 - -1 -1 -1 200 - 0 272 \"- http://internal-service-alb.example.com:80-/ \" \"-\" - - - \"-\" \"-\" \"-\" - 2025-05-01T11:24:32.720000Z \"-\" \"-\" \"-\" \"-\" \"-\" \"-\" \"-\" TID_00000000000000000000000000000000",
"outcome": "success"
},
"http": {
"request": {
"body": {
"bytes": 0
}
},
"response": {
"body": {
"bytes": 272
},
"status_code": 200
}
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 57273
},
"tags": [
"preserve_original_event"
],
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "-"
}
}
]
}
2 changes: 1 addition & 1 deletion packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ processors:
(?:-|%{NUMBER:aws.elb.backend.http.response.status_code:long})
%{NUMBER:http.request.body.bytes:long}
%{NUMBER:http.response.body.bytes:long}
\"(?:-|%{WORD:http.request.method}) (?:-|%{DATA:_tmp.uri_orig}) (?:-|HTTP/%{NOTSPACE:http.version})\"
\"(?:-|%{WORD:http.request.method}) (?:-|%{DATA:_tmp.uri_orig})(?: (?:-|HTTP/%{NOTSPACE:http.version}))?\"
\"%{DATA:_tmp.user_agent}\"
%{ELBSSL}
ELBTCPLOG: >-
Expand Down
2 changes: 1 addition & 1 deletion packages/aws/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.4.0
name: aws
title: AWS
version: 5.5.0
version: 5.6.0
description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
type: integration
categories:
Expand Down